Cpan · Text::Csv Xs · CVE-2026-7111
**Name of the Vulnerable Software and Affected Versions**
Text::CSV XS versions prior to 1.62
**Description**
A use-after-free issue exists when registered callbacks extend the Perl argument stack, potentially leading to type confusion or memory corruption. The `Parse`, `print`, `getline`, and `getline all` methods invoke registered callbacks, such as `after parse`, `before print`, or `on error`, and cache the Perl argument stack pointer. If a callback triggers a reallocation by extending the stack, the return value is written through a stale pointer into a freed buffer. Consequently, the caller may receive the original `$self` argument instead of the expected parsed data, resulting in logic errors or crashes. This issue does not affect objects used without registered callbacks.
**Recommendations**
Update to version 1.62 or later.
As a temporary workaround, avoid using registered callbacks in the `Parse`, `print`, `getline`, and `getline all` methods.